IBM's 'Summer of Security' Helps IT Assess, Combat Risks for the Extended Enterprise

IBM is coming off a busy “summer of security,” with rollouts of products, services, partnerships and acquisitions – all aimed at helping IT better identify, diagnose, combat and even predict risks from cloud, mobile and web initiatives. IDN explores IBM’s “summer of security” with Big Blue experts and execs.

"IBM has observed a rise in the demand for stronger authentication and context-based access capabilities."

IBM is coming off a busy “summer of security,” with rollouts of products, services, partnerships and acquisitions – all aimed at helping IT better identify, diagnose, combat and even predict risks from cloud, mobile and web initiatives.

First, Big Blue is shipping web and mobile “modules” for its IBM Security Access Manager appliance, available in a hardware or virtual form fact. “IBM Security Access Manager is an “all-in-one” appliance-based product that customers can purchase in modules, such as ISAM for Web, ISAM for Mobile, etc,” Ravi Srinivasan, Director of Strategy and Product Management for IBM Security Systems, told IDN. “These modules are activated with codes to support their targeted use cases. IBM plans to continue to expand the Security Access Manager suite with key integrations to enforce user access to enterprise and cloud/SaaS applications in flexible delivery models,” he added.

IBM Security Access Manager for Web, Mobile

Beyond handling security for roles and policy, IBM Security Access Manager also sports a deeper level of “context-aware” security, Srinivasan noted. “IBM has actually observed a rise in the demand for stronger authentication and context-based access capabilities. That's precisely the reason Security Access Manager was enhanced in 2012 to incorporate a strong authentication service and one-time passwords that can be delivered via mobile devices and support integration with numerous third party authentication vendors as well,” he said.

Specifics for each module are:

IBM Security Access Manager for Web defends apps and data against targeted web attacks and vulnerabilities. It offers flexible deployment and simple configuration options. It is designed to protect web apps from common attacks, including the top 10 web app risks noted by the Open Web Application Security Project. Extensions are available to protect against newly-identified vulnerabilities, as well as to provide admins insights into how users access information from on premise or cloud.

IBM Security Access Manager for Mobile provides mobile access security protection by proactively enforcing access policies for web environments and mobile collaboration channels. It enables organizations to secure access points into the corporate network and enforce context-based access policies that define who and what can access protected resources. The module reduces mobile security risks using context-based access control and flexible authentication services. It also improve identity assurance with built-in and flexible authentication schemes such as one-time password and RSA SecurID token support.

Under the covers, IBM Security Access Manager employs two key security structures that govern and maintain the security policy for secure domain: a user registry (that contains all users and groups who can participate in the IBM Security Access Manager “secure domain” environment); and a master authorization policy database (that contains a representation of all resources in the domain). A user can participate in the secure domain either as “authenticated” or “unauthenticated,” according to IBM documentation. Authenticated users must have an account in the user registry.

Another key feature in IBM security appliance modules is their speed to deployment, thanks to ready-to-go-live capabilities. “These modules [for web and mobile security] are activated with codes to support their targeted use cases. IBM plans to continue to expand the Security Access Manager suite with key integrations to enforce user access to enterprise and cloud/SaaS applications in flexible delivery models,” he told IDN.

Next, IBM is providing security guidance and implementation services based on the Cybersecurity Framework adopted earlier this year by NIST (National Institute of Standards and Technology). IBM’s Industrial Controls Cybersecurity Consulting service will help corporate and governmental IT introduce a more holistic approach to security into real world situations, Peter Allor, an IBM cybersecurity strategist, told IDN

IBM Services Support for NIST Cybersecurity Framework

The NIST Cybersecurity Framework is the result of a year-long, public/private partnership. The document offers guidance on how to balance security risks with privacy and civil liberties concerns. It also provides useful “profiles” to help organizations assess risk and then align cybersecurity with business requirements, risk tolerances, and resources, according to a NIST summary.

“The [Cybersecurity] Framework provides an overview to a new way to envision security issue, bringing in more stakeholders, not only security professionals. It helps companies get started down the road. But at first, [organizations] will probably need to implement all the framework,” Allor said. “So, IBM will help clients put the framework in a real world setting,” These real world benefits will include: developing a “security baseline,” to assess the organization’s security maturity and prioritize investments, he added.

The Cybersecurity Framework comes as many IT and security execs are wrestling with the new “extended enterprise” – and how to balance risk with business objectives, Allor noted.

“We are in an increasing always-connected world, where IT boundaries are more porous and open to risk,” due in large part of major spikes in adoption of cloud, mobile, APIs, use of external data streams (such as Twitter), Allor said. The massive adoption of Internet of Things projects will leave enterprise boundaries even more porous.

“There is no longer any hard [IT] perimeter, so enterprises need to think about security across their assets – all the way out to the devices and endpoints,” Allor said. “The traditional enterprise infrastructure is changing faster and in more subtler ways than ever.” The NIST Cybersecurity Framework suggests that these changes should prompt companies to think differently about how they find, isolate and cope with cyber risks.

Allor put it this way: “Security has a lifecycle, and any changes to the apps, data and the endpoints will impact your risk profile,” he said. “Traditionally, in security, we look at three key elements – identify, protect and detect. But today, we also need to spend more attention on respond and recover, and understand the whole security lifecycle.”

In fact, IT can leverage how it thinks about ALM (application lifecycle management) to get a handle on how to envision and manage the evolving security lifecycle. “The old straight-line waterfall approach [to appdev] is being replaced with new ways of looking at developing apps for better results,” he said. “Security assessments, in some ways, mirror those changes, and needs to be done more holistically. So, security should no longer just be making a long list, checking off one item and moving on to the next one.”

The [Cybersecurity] Framework shows a more inclusive approach, where cybersecurity risk is part of overall enterprise risk, and includes many more stakeholders. It also presents a new “common language” that all these stakeholders can use to communicate.

“Security perception remains the biggest hurdle for wide-spread enterprise cloud adoption. SoftLayer is the only bare-metal cloud platform offering Intel TXT, leading the industry in enabling customers to build hybrid and cloud environments that can be trusted from end-to-end,” IBM SoftLayer CTO Marc Jones said in a statement. IBM will also be offering services to help customers implement this new capability into their applications and platforms.

IBM's Other Security-Related Acquisitions and Partner News.

Lighthouse Security Group provides cloud-based security services, and was a long-time IBM partner. The Lighthouse Security Group’s Gateway is designed to protect identity and data in IT environments across cloud and mobile access points. It sports a full suite of functionality that is based on IBM Security Identity and Access Management capabilities, including user provisioning, identity lifecycle governance, single sign-on, enterprise user registry services, federation, and user self-service. The acquisition is evidence of customer requests for “federated identity” solutions that can work from a unified platform across mobile, SaaS, cloud and on-premises. IBM continues to observe similar enterprise customer demands,” Srinivasan told IDN. “Lighthouse’s cloud hosted IAM service implements the [IBM] Security Access Manager along with federated SSO and Identity Manager capabilities to support seamless integration of the legacy directory with a cloud-hosted IAM service,” he said.

In a key partnership, IBM is working to improve security and operational efficiencies for analytics, cloud and mobility projects for the U.S. Air Force and U.S. Department of Energy alongside solutions integrator Sirius Computer Solutions, Inc. “Right now, federal agencies are working toward taking advantage of all the benefits that cloud, analytics and mobile capabilities can bring in how they deliver citizen services. We look forward to working closely with Sirius in helping federal clients embrace new innovations while making the most out of existing IT investments,” said Anne Altman, General Manager of IBM’s U.S. Federal unit, in a statement.